ICIC
RU

Star Blizzard

High ConfidenceHigh Threat

SEABORGIUM • Callisto Group • TA446 • COLDRIVER • TAG-53 • BlueCharlie

Star Blizzard is a Russia-based cyber espionage group assessed by the UK National Cyber Security Centre (NCSC) and international partners as almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18. Active since at least 2019, the group has conducted persistent spearphishing campaigns targeting academia, defense, governmental organizations, NGOs, think tanks, and politicians, with targets in the UK and US most affected. The group is characterized by its sophisticated social engineering techniques, including extensive pre-attack reconnaissance using open-source resources and social media to identify hooks to engage targets. Star Blizzard creates impersonation accounts mimicking known contacts of their targets, often building rapport over extended periods before delivering malicious links. The group uses the open-source EvilGinx framework to harvest credentials and session cookies, successfully bypassing two-factor authentication.

Origin: Russia
Sponsor: FSB (Federal Security Service) Centre 18
Active: 2019 - Present
Victims: Hundreds of individuals and organizations
Advanced
Active
EspionageIntelligence Collection
Risk Assessment
80
Composite Risk Score
High Risk
ARCS Compliance88
Escalation Risk82
Grievance Index78
Infrastructure Impact65
History & Evolution

Star Blizzard is a Russia-based cyber espionage group assessed by the UK National Cyber Security Centre (NCSC) and international partners as almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18. Active since at least 2019, the group has conducted persistent spearphishing campaigns targeting academia, defense, governmental organizations, NGOs, think tanks, and politicians, with targets in the UK and US most affected. The group is characterized by its sophisticated social engineering techniques, including extensive pre-attack reconnaissance using open-source resources and social media to identify hooks to engage targets. Star Blizzard creates impersonation accounts mimicking known contacts of their targets, often building rapport over extended periods before delivering malicious links. The group uses the open-source EvilGinx framework to harvest credentials and session cookies, successfully bypassing two-factor authentication.

Targeting

Target Sectors

GovernmentDefenseAcademiaThink TanksNGOs

Target Regions

United KingdomUnited StatesNATO Countries
Attribution & Affiliations

Attributed to FSB (Federal Security Service) Centre 18 (Russia). Attribution confidence: High.

Intelligence Assessment
High
Threat Level
Highly
Targeting
Highly
Adaptability
High
Persistence
Continuous
Op Tempo
Active
Status

Future Outlook

Star Blizzard is expected to continue evolving its spearphishing techniques despite law enforcement disruptions.

Timeline of Key Events
2019
Major

First observed activity targeting academia and government

December 2023
Major

Joint Five Eyes advisory AA23-341A published

October 2024
Major

DOJ disrupts spear-phishing infrastructure